svn rev #21767: branches/mkey_migrate/src/ kadmin/dbutil/ lib/kdb/

wfiveash@MIT.EDU wfiveash at MIT.EDU
Tue Jan 20 20:22:52 EST 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=21767
Commit By: wfiveash
Log Message:
Made a change to the code reading the mkey stash to use the enctype
stored in the stash instead of overriding that with what is set in the
gobal parameter.  This allows a stashed mkey's enctype to differ from
the current mkey stored in the K/M princ.  I also updated
krb5_def_fetch_mkey_list() to avoid a crash when trying to decrypt data
encrypted with a des-cbc-crc key with a aes-128 key.



Changed Files:
U   branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c
U   branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c
U   branches/mkey_migrate/src/lib/kdb/kdb_default.c
Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c	2009-01-20 23:49:08 UTC (rev 21766)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_mkey.c	2009-01-21 01:22:44 UTC (rev 21767)
@@ -49,7 +49,7 @@
     krb5_kvno old_kvno, new_mkey_kvno;
     krb5_keyblock new_master_keyblock;
     krb5_key_data tmp_key_data, *old_key_data;
-    krb5_enctype new_master_enctype = DEFAULT_KDC_ENCTYPE;
+    krb5_enctype new_master_enctype;
     char *new_mkey_password;
     krb5_db_entry master_entry;
     krb5_timestamp now;
@@ -65,7 +65,7 @@
     while ((optchar = getopt(argc, argv, "e:s")) != -1) {
         switch(optchar) {
         case 'e':
-            if (krb5_string_to_enctype(optarg, &new_master_enctype)) {
+            if (krb5_string_to_enctype(optarg, &global_params.enctype)) {
                 com_err(progname, EINVAL, ": %s is an invalid enctype", optarg);
                 exit_status++;
                 return;
@@ -81,6 +81,8 @@
         }
     }
 
+    new_master_enctype = global_params.enctype;
+
     /* assemble & parse the master key name */
     if ((retval = krb5_db_setup_mkey_name(util_context,
                                           global_params.mkey_name,

Modified: branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c
===================================================================
--- branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c	2009-01-20 23:49:08 UTC (rev 21766)
+++ branches/mkey_migrate/src/kadmin/dbutil/kdb5_util.c	2009-01-21 01:22:44 UTC (rev 21767)
@@ -473,16 +473,20 @@
 	free(scratch.data);
 	mkey_password = 0;
 
-    } else if ((retval = krb5_db_fetch_mkey(util_context, master_princ, 
+    } else {
+        /* let the stash decide the enctype */
+        master_keyblock.enctype = ENCTYPE_UNKNOWN;
+        if ((retval = krb5_db_fetch_mkey(util_context, master_princ, 
 					    master_keyblock.enctype,
 					    manual_mkey, FALSE,
 					    global_params.stash_file,
 					    &kvno,
-					    0, &master_keyblock))) {
-	com_err(progname, retval, "while reading master key");
-	com_err(progname, 0, "Warning: proceeding without master key");
-	exit_status++;
-	return(0);
+                                            0, &master_keyblock))) {
+            com_err(progname, retval, "while reading master key");
+            com_err(progname, 0, "Warning: proceeding without master key");
+            exit_status++;
+            return(0);
+        }
     }
 #if 0 /************** Begin IFDEF'ed OUT *******************************/
     /* krb5_db_fetch_mkey_list will verify the mkey */

Modified: branches/mkey_migrate/src/lib/kdb/kdb_default.c
===================================================================
--- branches/mkey_migrate/src/lib/kdb/kdb_default.c	2009-01-20 23:49:08 UTC (rev 21766)
+++ branches/mkey_migrate/src/lib/kdb/kdb_default.c	2009-01-21 01:22:44 UTC (rev 21767)
@@ -523,9 +523,18 @@
      * Check if the input mkey is the latest key and if it isn't then find the
      * latest mkey.
      */
-    if ((retval = krb5_dbekd_decrypt_key_data(context, mkey,
-                                              &master_entry.key_data[0],
-                                              &tmp_clearkey, NULL)) != 0) {
+
+    if (mkey->enctype == master_entry.key_data[0].key_data_type[0] &&
+        mkvno == (krb5_kvno) master_entry.key_data[0].key_data_kvno) {
+        if (krb5_dbekd_decrypt_key_data(context, mkey,
+                                        &master_entry.key_data[0],
+                                        &tmp_clearkey, NULL) == 0) {
+            current_mkey = mkey;
+            found_key = TRUE;
+        }
+    }
+
+    if (!found_key) {
         /*
          * Note the mkvno may provide a hint as to which mkey_aux tuple to
          * decrypt.
@@ -545,13 +554,14 @@
                 }
             }
         }
-        if (found_key != TRUE) {
+        if (!found_key) {
             /* given the importance of acquiring the latest mkey, try brute force */
             for (aux_data_entry = mkey_aux_data_list; aux_data_entry != NULL;
                  aux_data_entry = aux_data_entry->next) {
 
-                if (krb5_dbekd_decrypt_key_data(context, mkey, &aux_data_entry->latest_mkey,
-                                                &tmp_clearkey, NULL) == 0) {
+                if (mkey->enctype == aux_data_entry->latest_mkey.key_data_type[0] &&
+                    (krb5_dbekd_decrypt_key_data(context, mkey, &aux_data_entry->latest_mkey,
+                                                &tmp_clearkey, NULL) == 0)) {
                     found_key = TRUE;
                     /* XXX WAF: should I issue warning about kvno not matching? */
                     break;
@@ -565,8 +575,6 @@
             }
         }
         current_mkey = &tmp_clearkey;
-    } else {
-        current_mkey = mkey;
     }
 
     /*

More information about the cvs-krb5 mailing list